WASHINGTON – Following a Ways and Means Committee hearing with Health and Human Services Secretary Xavier Becerra yesterday, 20 committee Republicans sent a letter led by Congressman Vern Buchanan, Chairman of the Health Subcommittee, expressing concerns regarding the recent cyberattack on Change Healthcare.

When discussing the cyberattack, Secretary Becerra failed to detail how the administration is prioritizing patients in the wake of the attack. The letter specifically calls on the department to put patients first, while ensuring their data is protected from this massive attack on our nation’s health care system.

“I am extremely concerned about the status of the investigation by HHS into the devastating cyberattack on Change Healthcare,” said Congressman Buchanan. “The administration needs to focus their attention on patients first and foremost to make sure they are still able to receive access to timely, quality care while ensuring their private and sensitive health care information in protected.”

On February 21, 2024, Change Healthcare, which “supports 14 billion clinical, financial, and operational transactions annually,” reportedly suffered from a massive cyberattack. Researchers at the University of Minnesota revealed that there’s a nearly 21 percent increase in mortality for patients in a ransomware-attacked hospital.

The Fallout from the Change Healthcare cyberattack is costing health providers as much as $1 billion a day. Furthermore, according to the American Hospital Association, 94 percent of hospitals in the country are experiencing a financial impact from the cyberattack. Shockingly, nearly 60 percent of those hospitals reported at least $1 million of impacted revenue per day.

“While we appreciate that the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently opened an investigation into the cyberattack on Change Healthcare (and its parent company, UnitedHealth Group (UHG)), we remain concerned that patients are not the primary focus of this investigation,” the lawmakers wrote in the letter. “Not only are providers losing up to a billion dollars a day in payment delays – potentially leading to delayed or deferred care for patients – the lack of transparency for patients regarding the status of their protected health information poses an active threat to patient well-being.”

In addition to being the Vice Chairman and most senior Republican on the powerful U.S. House Ways and Means Committee, Buchanan is also the Chairman of the Health Subcommittee, which has broad jurisdiction over traditional Medicare, the Medicare prescription drug benefit program, and Medicare Advantage.

You can read the full letter HERE or below:

March 21, 2024

Secretary Becerra,

We write to you to share our grave concerns regarding the cyberattack on Change Healthcare. Discovered on February 21st, this cyberattack has severely impacted stakeholders throughout our nation’s health care ecosystem, including the most important stakeholders of all: patients.

While we appreciate that the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently opened an investigation into the cyberattack on Change Healthcare (and its parent company, UnitedHealth Group (UHG)), we remain concerned that patients are not the primary focus of this investigation. Not only are providers losing up to a billion dollars a day in payment delays – potentially leading to delayed or deferred care for patients – the lack of transparency for patients regarding the status of their protected health information poses an active threat to patient well-being.

In your March 10, 2024, letter to health care leaders on the cyberattack, you urge UHG, insurance companies, and other payers to implement ten different objectives.[1] Unfortunately, none of your recommended proposals dealt specifically with protecting patient privacy and data – despite enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and patient privacy protection being one of OCR’s core functions.[2]

Patients are the best advocates for protection of their sensitive health information. As recently as 2022, the American Medical Association (AMA) found that nearly 75% of patients expressed concern about protecting their personal health data.[3] In the face of this cyberattack, working with payers and providers to ensure patient data are secure should be a core tenet of all future engagement.

The dangers facing patients at present are severe, irreversible, and life-lasting. One cybersecurity director at a large U.S. hospital system has emphasized “that though they are in regular contact with Change and UnitedHealth, they have heard nothing so far about the security or integrity of patient records.”[4] This official also expressed concerns regarding “the prospect of the hackers potentially publishing the stolen sensitive patient data online.”[5] With much information still unknown about the stolen patient data, OCR should be focusing their efforts on partnering with the private sector and other governmental entities to ensure that bad actors do not have access to private medical data to manipulate or extort innocent patients.

We would like to work with you to ensure patients affected by the hack are supported throughout this process. To that end, please answer the following questions and submit them to the Republican members of the Ways and Means Committee no later than March 31, 2024.

  1. It is our understanding UnitedHealth has not disclosed information about what patient data may have been exposed. What efforts are HHS and OCR taking to determine which patients had personal information stolen? When, and in what manner, will such patients be notified that their data has been exposed?
  1. Are you working with UHG and law enforcement officials to track and trace stolen patient data?
  1. The ransomware gang claims to have access to data relating to all of Change Healthcare’s clients. To what degree is that true? How is OCR putting patients first as it continues to navigate this investigation?
  1. Will HHS and OCR commit to frequent and thorough updates of this investigation to ensure transparency and cross coordination between departmental agencies, Congress, and all affected stakeholders?
  1. With ransomware attacks increasing in frequency in recent years, how are you working with the private sector and patients to ensure HHS is providing the best tools and practices possible to patients affected by cyberattacks?
  1. What technology can be incorporated by the private sector and HHS to help avoid these hacks in the future?
  1. What regulatory barriers are in place that make patients’ privacy less secure and safe?

We look forward to your continued engagement on this issue and commitment to putting patients first as we work to strengthen and secure our nation’s health care system.

Sincerely,